On Fri, Jun 11, 2010 at 10:04 PM, Michael Nordman <michaeln@google.com> wrote:
> Another advantage is that...
> blobdata://http_responsible_party.org:80/3699b4a0-e43e-4cec-b87b-82b6f83dd752
>
> ... makes it clear to the end user who the responsible party is when these
> urls are visible in the user interface. (location bar, tooltips, etc).
It doesn't, it just means yet another way for scripts to confuse the user.
Every time we provide a string whose domain is in control of a domain,
the set of evil uses increases as evil groups set up more interesting
domains and trick users for another two or three years.
With browsers targeting smaller devices, as well as users who are less
familiar with the web, or even experienced users who missed memos
about IDN, these "improvements" just cause more problems.
Tab: I'd like to specifically call you out for your inclusion of:
http://www.詹姆斯.com/blog/2010/06/html5-atom-gone-wrong, a comparison
in a recent email. .COM does not allow IDN and you should not have
used that. I know someone was being cute, but that doesn't justify
confusing users. I don't have time to construct a similarly written
domain which happens to go to my own spoof, nor am I going to invest
the ~9 USD that it would cost to do so, but it is perfectly reasonable
for someone else to do so. The time it would take is probably around
10mins including picking a similar character, registering the domain,
and posting content.
It's true that this spoof would not fool all of the people all of the
time, but it would probably fool most of the people most of the time.